Severity
High
Analysis Summary
As the conflict involving Iran and regional actors enters its second week, cyber activity linked to multiple state-aligned and suspected threat actors has increased. While several Iranian hacktivist groups have claimed disruptive operations, espionage-focused Iranian actors appear to be maintaining their traditional intelligence collection priorities despite Iran’s temporary internet shutdown following initial U.S. and Israeli strikes.
For instance, on 8 March, the Iran-aligned actor TA453 (Charming Kitten/APT42) conducted a credential phishing attempt targeting a U.S. think tank. The activity originated from an earlier email exchange that began prior to the conflict, suggesting the group continues prioritizing established intelligence targets rather than shifting exclusively to war-driven operations.
Alongside Iranian activity, researchers observed a rise in phishing campaigns targeting Middle Eastern government and diplomatic organizations conducted by both known and previously untracked threat actors suspected to be aligned with China, Belarus, and Hamas. Many of these campaigns leveraged war-related narratives as social engineering lures and frequently used compromised government email accounts to distribute phishing messages.
One campaign attributed to the suspected China-aligned cluster UNK_InnerAmbush used the compromised email uzbembish@elcat[.]kg to send phishing emails linking to Google Drive archives such as “Photos from the scene.rar” and “Strike at Gulf oil and gas facilities.zip.” These archives contained LNK shortcuts disguised as images that executed a loader via nvdaHelperRemoteLoader.exe and nvdaHelperRemote.dll, ultimately deploying a Cobalt Strike payload communicating with support.almersalstore[.]com, while tracking pixels monitored recipient engagement.
Similarly, TA402 used the compromised Iraqi Ministry of Foreign Affairs account ban.ali@mofa.gov[.]iq and nqandeel04@gmail[.]com to deliver credential phishing emails directing victims to a spoofed Outlook Web Application page at mail[.]iwsmailserver[.]com.
Another campaign related to credential harvesting activity used the compromised Syrian account ali.mo@med.gov[.]sy and war.analyse.ltd@outlook[.]com to distribute spoofed OneDrive links (iran.dashboard.1drvms[.]store) prompting reauthentication before redirecting victims to iran.liveuamap[.]com.
Meanwhile, Belarus-aligned TA473 distributed HTML attachments titled “european union statement on the situation in iran and the middle east.html,” which displayed a decoy while sending tracking requests to unityprogressall[.]org.
Separately, TA453 continued its social-engineering campaign by impersonating a researcher using McManus.Michael@hotmail[.]com, initially sharing a benign OneDrive document titled “Air Defense Depletion & Deterrence in the Middle East.pdf.” After establishing rapport, the attacker sent a follow-up link disguised as “Air Defense Depletion & Deterrence in the Middle East-Event Overview.pdf,” which used transfergocompany[.]com to redirect victims to a OneDrive-themed credential phishing page hosted on fileportalshare.netlify[.]app.
Overall, the observed campaigns highlight how the ongoing conflict is being leveraged as a thematic lure while enabling multiple state-aligned actors to conduct intelligence-collection operations against Middle Eastern government and diplomatic targets.
Impact
- Credential Theft
- Data Exfiltration
- Lateral Movement
- Malware Distribution
- Unauthorized Access
- Information Exposure
Indicators of Compromise
Domain Name
- support.almersalstore.com
- almersalstore.com
- iwsmailserver.com
- unityprogressall.org
- transfergocompany.com
IP
72.60.90.32
MD5
- 0456842d1af5760356e52db387f8897f
SHA-256
- a9de383c6a1b00c9bd5a09ef87440d72ec7fc4bcd781207b3cace2f246788d4d
SHA1
- 60344a3a5ad950450cd798f585571d29f13f2dbb
URL
- https://1drv.ms/b/c/cbec61ab8028f986/IQDa9igU3D3BRqiyNtth76AzAbOM6jUpa8apnuRl-zKXKow?e=E8bIfd
Remediation
- Implement multi-factor authentication (MFA) to reduce the risk of unauthorized access even if user credentials are compromised through phishing attacks.
- Conduct regular phishing awareness training so employees can identify suspicious emails, malicious attachments, and spoofed login pages related to conflict-themed lures.
- Deploy advanced email security filtering to detect and block phishing messages, malicious links, and suspicious attachments before they reach users.
- Monitor and block suspicious domains and URLs using DNS filtering and threat intelligence feeds to prevent access to phishing pages and command-and-control infrastructure.
- Restrict the execution of LNK files, scripts, and other commonly abused file types to reduce the likelihood of malware loaders executing on endpoints.
- Deploy endpoint detection and response (EDR) solutions to identify suspicious behaviors such as DLL sideloading, abnormal PowerShell activity, and unauthorized executable downloads.
- Implement application allowlisting to ensure that only approved and trusted software can run within the environment.
- Monitor outbound network traffic for unusual connections to external infrastructure that may indicate command-and-control communication.
- Regularly patch and update operating systems and applications to mitigate exploitation of known vulnerabilities.
- Enable centralized logging and monitoring within SIEM platforms to detect indicators of compromise and suspicious authentication activity.
- Establish verification procedures for external communications and attachments to ensure unexpected invitations, documents, or links are validated before being opened.
- Isolate potentially compromised systems quickly and conduct forensic analysis to prevent further spread of malware or unauthorized access within the network.